Today Kandji is announcing first-in-the-market support for active Declarative Device Management (DDM) for supervised devices. Not only has Kandji enabled DDM, but we also support actively managing configuration declarations—one of the core technologies that powers DDM.
With this first release, we've updated our Passcode Library Item to automatically use configuration declarations for iOS 16 and iPadOS 16 devices. But that's just the first step in a revolutionary transformation of the way mobile device management works on Apple platforms.
What Is Declarative Device Management?
Declarative Device Management is an entirely new device management architecture developed by Apple. With DDM, much of the decision-making in managing devices moves to the devices themselves. Devices can self-remediate gaps in configuration and inform the device-management server of any changes through a new status channel. This means device configurations and remediations happen faster, and there’s less back-and-forth communication between devices and the server.
As Apple puts it, DDM “inspires more confidence that the device is in the expected state. And in the situations where it is not, that it is in a safe state that protects any sensitive organization data, even when connectivity to the server is lost.” Apple smartly made DDM part of the existing MDM protocol that we’ve been using for more than a decade, so MDM and DDM can co-exist on the same device.
How Kandji Supports Declarative Device Management
When DDM was initially launched at WWDC 2021, it was available only on iOS devices that had been enrolled via User Enrollment. But this year, Apple expanded DDM to all of its platforms and all enrollment types, including Device Enrollment and Automated Device Enrollment. This has allowed Kandji to adopt DDM—and, starting today, enable it for macOS, iOS, and iPadOS.
In addition, newly enrolled devices running iOS 16 or iPadOS 16 that are managed with Kandji and have a passcode policy set via a Passcode library item will have that policy applied natively via DDM instead of legacy MDM profiles—with no extra steps required by the admin. Instead of sending a legacy configuration profile containing the passcode policy, we create a configuration declaration with the same policy.
Our team built an entirely new, highly scalable architecture to support all core Declarative Device Management technologies: enrollment, declarations, and the status channel. As Apple makes more MDM profile payloads available as configuration declarations with full settings parity, we will adopt them quickly.
Apple announced at WWDC 2022 that declarative device management will be “the focus of future protocol features.” We’re excited to continue building on the foundation we’re announcing today as Apple releases additional DDM functionality in the months and years ahead.